Virtru Policy Trends in Federal Surveillance Law May 8, 2014

CONFIDENTIAL

Why is Virtru Tracking Surveillance Law?

While Virtru hasn’t been affected by a national security order we need to be prepared. Our product predates the “startup clause” of the recent DOJ settlement. We intend to continue publishing transparency reports. Virtru’s strategy hinges upon how the courts view encryption keys and what is required to access these keys.

Internet  Backbone  in  2010  

•  For  beCer  or  worse,  US  is  the  hub  of  the  global  Internet.    •  Very  hard  for  foreign  countries  to  wall  themselves  off  and  ineffec4ve  anyway.  •  Special  responsibility  and  sensi4vity  for  US  companies  given  recent  revela4ons.  

US  Technology  Companies:    Bad  Rep  on  Privacy  

Mark  Zuckerberg  (Facebook):    “That  social  norm  is  just  something  that  has  evolved  over  4me.”    ScoC  McNealy  (Sun  Microsystems):    “You  have  zero  privacy  anyway.    Get  over  it.”        

Data:  How  Law  Sees  It  Data:  generally  treated  as  wri4ng    Analogies      -­‐-­‐files  =  documents      -­‐-­‐computer  =  container    In  transit  versus  at  rest      -­‐-­‐at  rest  =  document?      -­‐-­‐in  transit  =  wiretap?        

Metadata  Collec4on  •  Despite  major  debate,  few  real  changes  to  surveillance  laws  in  the  past  year.  

•  Most  likely  reform  in  the  short  run  is  to  bulk  telephony  metadata  collec4on  –  Internet  bulk  metadata  collec4on  under  different  provision  of  FISA  could  affect  Virtru;  ended  in  2011  

Content  Collec4on  •  Methods  of  collec4on:  criminal  

tools,  FISA  (tradi4onal  and  sec4on  702),  overseas  signals  intelligence  

•  ECPA  reform  (criminal)  hasn’t  gone  anywhere  

•  President’s  reform  direc4ve  (PPD-­‐28)  guidelines  to  protect  privacy  interests  of  foreigners    

•  Reform  coali4on:  4ghten  sec4on  702  of  FISA  (e.g.,  restrict  categories  of  intelligence);  not  in  current  FISA  reform  bills  

•  PCLOB  to  provide  recommenda4ons  on  sec4on  702  in  June  

Encryp4on  Keys  

•  S4ll  unclear  what  legal  tools  are  permiCed  to  access  encryp4on  keys:  subpoena,  pen/trap,  search  warrant?  

•  Lavabit  –  raised  “master  key”  issue  because  architecture  was  flawed;  Virtru’s  is  different,  would  not  raise  same  issue  

•  Lavabit  case  sidestepped  issue:  dismissed  appeal  because  Lavabit  failed  to  properly  raise  arguments  in  district  court  

Mobile  Phone  Search  Cases  Is  a  warrant  needed  to  search  phone  upon  arrest?  

United  States  v.  Wurie,  13-­‐212  Boston  case  –  following  up  on  informa4on  from  review  of  cell  phone  logs  on  arrest  at  a  drug  deal  resulted  in  search  of  suspect’s  apartment    

Riley  v.  California,  No.  13-­‐132  California  case  –  forensic  analysis  of  photos  on  phone  lead  to  arrest  for  gang  ac4vity,  following  arrest  on  traffic  viola4on  

     

Transparency  

•  Google,  other  major  tech  companies  agreed  with  DOJ  on  rules  for  transparency  reports;  withdrew  legal  challenge.  

•  Agreement  sets  forth  DOJ  posi4on;  contains  2-­‐year  gag  rule  for  “new  capabili4es”  

•  Virtru  published  a  transparency  report  and  promised  to  update  regularly;  would  test  this  rule